My One Backward Compatible Client Config For Multiple OS's and Ciphers

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
warbux
OpenVpn Newbie
Posts: 10
Joined: Sun Dec 30, 2012 5:14 pm

My One Backward Compatible Client Config For Multiple OS's and Ciphers

Post by warbux » Mon Jul 17, 2017 3:16 am

Hi,

With the latest versions of OpenVPN introducing so many great new features I wanted to put together a single client config that is backwards compatible with some of the older embedded versions (2.3.x) works for Windows, Linux, MacOS, iOS and Android via TCP or UDP and supports multiple ciphers. Here is what I put together. It works really well in my testing but I wanted to get some feedback into potential security issues (besides user/pass)
Universal Client Conf
remote <FQDN> 443 udp
;Ciphers Supported AES-256-GCM:AES-256-CBC:AES-128-GCM
cipher AES-128-CBC
;Delete ncp-ciphers and replace AES-128-CBC with your desired cipher
setenv ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM
auth SHA512
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
client
;Android Requirement
setenv CLIENT_CERT 0
;MacOS Up/Down Script Requirement
setenv script-security 2
verify-x509-name california name
dev tun
resolv-retry 20
route-delay 2
comp-lzo no
setenv route-method exe
;UDP Flag
setenv explicit-exit-notify 5
;Clear Windows DNS Cache
setenv register-dns
ignore-unknown-option script-security 2 CLIENT_CERT 0 route-method exe register-dns explicit-exit-notify 5 ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM
remote-cert-tls server
nobind
auth-user-pass
verb 4
#No tls-crypt yet...
tls-auth [inline] 1

warbux
OpenVpn Newbie
Posts: 10
Joined: Sun Dec 30, 2012 5:14 pm

Re: My One Backward Compatible Client Config For Multiple OS's and Ciphers

Post by warbux » Thu Jul 20, 2017 11:37 pm

Found a problem importing config to OpenVPN Connect for Android. I have modified the file below
Revision 1
remote FQDN 443 udp
cipher AES-128-CBC
setenv ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM
auth SHA512
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
client
setenv CLIENT_CERT 0
setenv script-security 2
verify-x509-name california name
dev tun
resolv-retry 20
route-delay 2
comp-lzo no
setenv route-method exe
setenv explicit-exit-notify 5
setenv register-dns
ignore-unknown-option script-security 2 CLIENT_CERT 0 route-method exe register-dns explicit-exit-notify 5 ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM
remote-cert-tls server
nobind
auth-user-pass
verb 4
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>

Post Reply